Project

General

Profile

Actions
Copy link

Bug #3854

closed

pf on 2.2 should not have an upper table entry limit, but generates errors with large datasets

Added by Jim Pingle over 9 years ago. Updated over 9 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Ermal Luçi
Category:
Rules / NAT
Target version:
2.2
Start date:
09/09/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2
Affected Architecture:
All

Description

On 2.2 (FreeBSD 10.x base), pf is not supposed to have an upper table size limit. The knob to set it has been removed, and yet if a sufficiently large dataset is configured, an error is produced:

pfctl: Bad address.

See https://forum.pfsense.org/index.php?topic=80856.0 for more info.

Files

Download all files
Capture.JPG (22.4 KB) Capture.JPG Bill Crowder, 09/10/2014 04:35 PM
pfB_BTLevel1.txt (3.64 MB) pfB_BTLevel1.txt Bill Crowder, 09/11/2014 04:16 PM
Actions
Copy link
 #1

Updated by Ermal Luçi over 9 years ago

  • Status changed from New to Closed

The table entries limit is still there
maximumtableentries os system->Advanced.

What has changed is that there is no more a limit on number of tables present in a ruleset.

Actions
Copy link
 #2

Updated by Bill Crowder over 9 years ago

Ermal,

When I ran the tests shown in forum post I had tried from 1000000 to 20000000 in System: Advanced: Firewall and NAT: Firewall Maximum Table Entries.

If you will look at Bug#3791 i have more details.

Firewall Maximum Table Entries has no effect on pfSense 2.2 as of yesterdays snapshot. This is easily repeatable.

[2.2-ALPHA][root@router.crowderfarm.local]/var/db/aliastables(8): ls -la pfB_BTLevel1.txt
-rw-r--r-- 1 root wheel 3817312 Sep 8 16:20 pfB_BTLevel1.txt
[2.2-ALPHA][root@router.crowderfarm.local]/var/db/aliastables(9): pfctl -t pfB_BTLevel1 -T replace -f /var/db/aliastables/pfB_BTLevel1.txt
pfctl: Bad address.
[2.2-ALPHA][root@router.crowderfarm.local]/var/db/aliastables(10):

[2.2-ALPHA][root@router.crowderfarm.local]/var/db/aliastables(12): pfctl -sm
states hard limit 1000000
src-nodes hard limit 1000000
frags hard limit 5000
table-entries hard limit 2000000
[2.2-ALPHA][root@router.crowderfarm.local]/var/db/aliastables(13):

Actions
Copy link
 #3

Updated by Bill Crowder over 9 years ago

Better more concise details with Table-entries set at 1,000,000, have also tried 10,000,000.

This list will load correctly initially, but fails upon updating with pfctl -t ALIASNAME -T replace -f FILE with bad alias.

This list is 227,380 IP's.

pa-r- pfB_BTLevel1
Addresses: 227380
Cleared: Tue Sep 9 19:49:40 2014
References: [ Anchors: 0 Rules: 1 ]
Evaluations: [ NoMatch: 1432 Match: 42 ]
In/Block: [ Packets: 42 Bytes: 3760 ]
In/Pass: [ Packets: 0 Bytes: 0 ]
In/XPass: [ Packets: 0 Bytes: 0 ]
Out/Block: [ Packets: 0 Bytes: 0 ]
Out/Pass: [ Packets: 0 Bytes: 0 ]
Out/XPass: [ Packets: 0 Bytes: 0 ]

[2.2-ALPHA][root@router.crowderfarm.local]/var/db/aliastables(9): pfctl -t pfB_BTLevel1 -T replace -f /var/db/aliastables/pfB_BTLevel1.txt
pfctl: Bad address.

2.2-ALPHA][root@router.crowderfarm.local]/var/db/aliastables(12): pfctl -sm
states hard limit 1000000
src-nodes hard limit 1000000
frags hard limit 5000
table-entries hard limit 2000000
[2.2-ALPHA][root@router.crowderfarm.local]/var/db/aliastables(13):

Actions
Copy link
 #4

Updated by Bill Crowder over 9 years ago

Actions
Copy link
 #5

Updated by Bill Crowder over 9 years ago

To show that it works on 2.1.4... This is the same exact list being replaced on 2.1.4. The list has a different alias name on my 2.1.4 VM then my 2.2 VM, but it is the same list being updated with a copy of the list that fails on 2.2. This is to show this is a regression++ and to show the the /pfB_BTLevel1.txt in the above examples is functional on 2.1.4.

[2.1.4-RELEASE][root@router.crowderfarm.local]/var/db/aliastables(6): pfctl -t pfBlockerP2P -T replace -f /var/db/aliastables/pfB_BTLevel1.txt
3702 addresses added.
33472 addresses deleted.

Actions
Copy link
 #6

Updated by Jim Pingle over 9 years ago

  • Status changed from Closed to New
Actions
Copy link
 #7

Updated by Ermal Luçi over 9 years ago

Can you provide a link to this big list?

Actions
Copy link
 #9

Updated by Bill Crowder over 9 years ago

pfB_BTLevel1

Actions
Copy link
 #10

Updated by Bill Crowder over 9 years ago

This is an issue that needs to be addressed before 2.2 is released. This problem does not exist in 2.1.4.

Actions
Copy link
 #11

Updated by Ermal Luçi over 9 years ago

  • Status changed from New to Feedback

Patch has been merged in to fix the wrong ioctl handling.

Please test newer snapshots.

Actions
Copy link
 #12

Updated by Bill Crowder over 9 years ago

Tested this with several very large lists. I think it can be changed to resolved. Thanks.

Updating: pfB_IBlock
68 addresses added.1070 addresses deleted.
Updating: pfB_PRI2
31 addresses added.456 addresses deleted.
Updating: pfB_SEC1
8 addresses added.330 addresses deleted.
Updating: pfB_ET_IPrep
51 addresses added.1696 addresses deleted.
Updating: pfB_BT_Level1
75 addresses added.
Updating: pfB_IPv6Test
no changes.

Actions
Copy link
 #13

Updated by Ermal Luçi over 9 years ago

  • Status changed from Feedback to Resolved

This can be marked as resolved.

Though general issues are to be solved in FreeBSD for this....

Actions
Copy link

Also available in: Atom PDF